A high-severity vulnerability named Pack2TheRoot, tracked as CVE-2026-41651 with an 8.8 rating, has existed for nearly twelve years in the PackageKit daemon across multiple Linux distributions. The flaw allows local users to install or remove system packages and escalate privileges to root. Deutsche Telekom's Red Team discovered the issue using the Claude Opus AI tool while investigating how commands could execute without authentication under specific conditions on Fedora systems.
The vulnerability affects PackageKit versions 1.0.2 through 1.3.4, impacting distributions including Ubuntu Desktop 18.04 through 26.04, Ubuntu Server 22.04 through 24.04, Debian Desktop Trixie 13.4, RockyLinux Desktop 10.1, and Fedora 43. Any Linux distribution with PackageKit pre-installed and enabled out-of-the-box should be treated as potentially vulnerable. Researchers reported their findings to Red Hat and PackageKit maintainers on April 8, with a fix released in version 1.3.5.
Exploitation causes the PackageKit daemon to hit assertion failures and crash, observable in system logs even though systemd automatically recovers the process. Technical details and a demo exploit have not been publicly disclosed to allow patches to propagate. Users are advised to upgrade to PackageKit 1.3.5 immediately and check for running daemon status using systemctl or pkmon commands. Any system with PackageKit running remains at risk until patched, regardless of distribution.
Read more...